chore: adopt zizmor for GitHub Actions security scanning#29
Merged
Conversation
Extends techne's GHA-security layer beyond check_action_pins.sh (pinning-only) to zizmor's full audit set. Dogfooded on techne itself: zizmor added as a dev dep + `make zizmor` target, wired into `make validate` and the validate.yml gate. Fixes what zizmor surfaced in techne's own workflows: - excessive-permissions (HIGH): docs.yml granted `pages: write` + `id-token: write` at the workflow level (both jobs); only the deploy job (deploy-pages) needs them. Moved to job-scoped perms — the build job needs only `contents: read` (configure-pages defaults to enablement: false and Pages is already enabled, so it only reads). - artipacked (MEDIUM): `persist-credentials: false` on all checkouts (no later git push/fetch needs the token). Remaining (ROADMAP): propagate to the sisters — they share the same workflow-level permission over-grant + artipacked. research(2026-05): Trail of Bits "We hardened zizmor" (2026-05-22); zizmor audit docs. Verified: make validate green (lint + shellcheck + zizmor 0 findings + structural/pin checks).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adopts zizmor (Trail of Bits' GHA static analyzer) as techne's broader GitHub Actions security layer — extending beyond
check_action_pins.sh(pinning-only) to zizmor's full audit set (template injection, excessive-permissions, artipacked, unpinned-uses, secrets exposure, …). Dogfooded on techne first; sister propagation tracked in ROADMAP.Why now
The note flagged "zizmor as a broader GHA-security layer." Web-search (May 2026) confirms it's the current, actively-maintained tool — Trail of Bits hardened it on 2026-05-22 after the March 2026 trivy-action → LiteLLM supply-chain attack. Continues last session's SHA-pinning hardening arc.
Changes
zizmordev dep +make zizmortarget, wired intomake validateand a new validate.yml "GHA security (zizmor)" step (gates every PR).docs.ymlgrantedpages: write+id-token: writeat the workflow level (both jobs); onlydeploy(deploy-pages) needs them. Moved to job-scoped perms. Thebuildjob needs onlycontents: read—configure-pagesdefaults toenablement: falseand Pages is already enabled, so it only reads config (verified via the action manifest).persist-credentials: falseon all checkouts (no later git push/fetch needs the token — matches velocity-fl's existing pattern).Verified
make validategreen: ruff ✓ · shellcheck ✓ · zizmor 0 findings ✓ · structural + pin checks ✓.research(2026-05): Trail of Bits — hardening zizmor, zizmor audit docs.
Follow-up (ROADMAP)
Propagate to the sisters — every FL/docs sister carries the same workflow-level permission over-grant + artipacked; each needs findings triaged in its own PR. actionlint + SARIF→code-scanning are later enhancements.